Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win 2003]
EventID 560 - Object Open [Win 2003]
Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted. 

This message corresponds to a Security 567 message, which indicates that an object was accessed, and to a Security 562 message , which indicates that the handle of the object was successfully closed. Associated messages have the same Handle ID number.
EventID 560 tracks access only to Windows objects such as files, folders, registry keys, printers and services. If you need to track access to Active Directory objects such as users, groups, organizational units, group policy objects, domains, sites, etc, look for EventID 565 and 566 in the Directory Service Access category.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows XP Windows 2000 Windows 2008


        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Object Access
        Event ID:       560
        Date:           10/26/2009
        Time:           07:41:23
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Object Open:
        Object Server:	Security
        Object Type:	File
        Object Name:	C:\WINDOWS\Tasks\At1.job
        Handle ID:	2428
        Operation ID:	{0,6451050}
        Process ID:	880
        Image File Name:	C:\WINDOWS\system32\svchost.exe
        Primary User Name:	DC1$
        Primary Domain:	RESEARCH
        Primary Logon ID:	(0x0,0x3E7)
        Client User Name:	-
        Client Domain:	-
        Client Logon ID:	-
        Accesses:	%READ_CONTROL
        %WriteData (or AddFile)
        %AppendData (or AddSubdirectory or CreatePipeInstance)

        Privileges:	-
        Restricted Sid Count:	0
        Access Mask:	0x120196
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Object Access
Source Security
EventId 560
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Process ID ID of the process (program) making the access request InsertionString7 380
Object Server The name of the service handling the access request InsertionString1 Security
Object Type The type of object accessed (file, folder, registry key, printer, service) InsertionString2 File
Object Name Name of the object (e.g. for the file accessed - full system path) InsertionString3 C:\WINDOWS\Tasks\At1.job
Handle ID ID of the object handle granted to the process accessing it InsertionString4 2428
Operation ID ID of the operation performed on the object Expression {0,654658}
Image File Name Full path and name of the program making the access request InsertionString8 C:\WINDOWS\system32\svchost.exe
Primary User Name For local access identifies the user accessing the object, for remote access identifies the server program used to open the object InsertionString9 DC1$
Primary Domain Domain of the Primary User Name InsertionString10 RESEARCH
Primary Logon ID ID of the logon session of the Primary User Name account InsertionString11 (0x0,0x3E7)
Client User Name For local access this field is empty, for remote access identifies the user accessing the object. InsertionString12 -
Client Domain Domain of the Client User Name InsertionString13 -
Client Logon ID ID of the logon session of the Client User Name account InsertionString14 -
Accesses Identifies the permissions requested by user/program to the object. InsertionString15 %READ_CONTROL
Privileges The list of privileges held by user during object access InsertionString16 -
Restricted SID Count The purpose of this field is unknown InsertionString17
Access Mask The actual set of rights for the user accessing the object. InsertionString18 0x120196
You must be logged in to comment